EXPLORE
Sign In
← Back to Explore
splunk_escuAnomaly

GitHub Enterprise Repository Deleted

The following analytic detects when a user deletes a repository in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository deletion events, which could indicate unauthorized removal of critical source code and project resources. For a SOC, identifying repository deletions is crucial as it may signal account compromise, insider threats, or malicious attempts to destroy intellectual property and disrupt development operations. The impact could be severe, potentially resulting in permanent loss of source code, documentation, project history, and other critical assets if proper backups are not maintained. Repository deletion could halt development workflows, cause significant business disruption, and require substantial effort to restore from backups if available. Additionally, unauthorized repository removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.

MITRE ATT&CK

T1485T1195

Detection Query

`github_enterprise` action=repo.destroy
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY actor, actor_id, actor_is_bot,
       actor_location.country_code, business, business_id,
       org, org_id, repo,
       repo_id, user_agent, visibility,
       action
  | eval user=actor
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `github_enterprise_repository_deleted_filter`

Author

Patrick Bareiss, Splunk

Created

2026-03-10

Data Sources

GitHub Enterprise Audit Logs

References

Tags

GitHub Malicious ActivityNPM Supply Chain Compromise
Raw Content
name: GitHub Enterprise Repository Deleted
id: f709e736-3e6c-492f-b865-bc7696cc24a7
version: 6
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: production
type: Anomaly
description: The following analytic detects when a user deletes a repository in GitHub Enterprise. The detection monitors GitHub Enterprise audit logs for repository deletion events, which could indicate unauthorized removal of critical source code and project resources. For a SOC, identifying repository deletions is crucial as it may signal account compromise, insider threats, or malicious attempts to destroy intellectual property and disrupt development operations. The impact could be severe, potentially resulting in permanent loss of source code, documentation, project history, and other critical assets if proper backups are not maintained. Repository deletion could halt development workflows, cause significant business disruption, and require substantial effort to restore from backups if available. Additionally, unauthorized repository removal could be part of a larger attack campaign aimed at destroying or compromising enterprise assets.
data_source:
    - GitHub Enterprise Audit Logs
search: |-
    `github_enterprise` action=repo.destroy
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY actor, actor_id, actor_is_bot,
           actor_location.country_code, business, business_id,
           org, org_id, repo,
           repo_id, user_agent, visibility,
           action
      | eval user=actor
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `github_enterprise_repository_deleted_filter`
how_to_implement: You must ingest GitHub Enterprise logs using Audit log streaming as described in this documentation https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk using a Splunk HTTP Event Collector.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.googlecloudcommunity.com/gc/Community-Blog/Monitoring-for-Suspicious-GitHub-Activity-with-Google-Security/ba-p/763610
    - https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#setting-up-streaming-to-splunk
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: $user$ deleted a repository in GitHub Enterprise
    risk_objects:
        - field: user
          type: user
          score: 20
    threat_objects:
        - field: user_agent
          type: http_user_agent
tags:
    analytic_story:
        - GitHub Malicious Activity
        - NPM Supply Chain Compromise
    asset_type: GitHub
    mitre_attack_id:
        - T1485
        - T1195
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1485/github_delete_repository/github.json
          source: http:github
          sourcetype: httpevent